From a "News Flash" to a Security Checklist

 

A sudo privilege escalation flaw (CVE-2026-35535) in Rocky Linux allows local users to gain root access. This guide covers how to identify vulnerable systems, patch them immediately, set up an automated update, and apply a manual workaround as a temporary fix.

News headlines about sudo vulnerabilities come and go every few months. But the underlying problem remains the same: sudo is the central tool for privilege escalation on Linux systems. 

When a flaw like CVE-2026-35535 appears, it’s crucial to treat it not as a one-time scare, but as a reason to revisit your entire security hygiene.

In May 2026, a patch (RLSA-2026:12310) was released for Rocky Linux 9 to close a privilege escalation bug in the sudo package. The vulnerability involved a failure in how sudo drops privileges (via setuid, setgid, and setgroups calls) before executing the mailer — a failure that could allow a local attacker to gain full root access.

Below is an evergreen guide to check, fix, and harden your setup against this class of sudo flaws, not just for this specific CVE, but for future vulnerabilities as well.

How to Check If You Are Vulnerable (Rocky Linux)

Perform these three checks to determine whether your system is exposed.

Step 1: Check the sudo version

The vulnerable versions are up to 1.9.5p2 (the patch version is sudo-1.9.5p2-15.el9_7).

bash

$ sudo --version | head -n1

# Example output (vulnerable):
Sudo version 1.9.5p2

This is the most reliable way to identify the risk. If your output shows 1.9.5p2 or an earlier version, you need to update immediately.

Step 2: Verify the exact installed RPM

bash

$ rpm -q sudo

# Example output (vulnerable):
sudo-1.9.5p2-14.el9_7.x86\_64

The fixed version is sudo-1.9.5p2-15.el9_7 (or newer for future patches).

Step 3: (Optional) Check for security updates without installing

bash

$ sudo dnf updateinfo list --security

This shows all security advisories available for your system. Look for an entry referencing sudo or RLSA-2026:12310.

Automation Script to Apply the Fix

Below is a hardened bash script that works on Rocky Linux, as well as other major RHEL-derived distributions. It checks the current status, applies the update, and logs the result — ready to be scheduled via cron.

Script: apply-sudo-security-fix.sh

bash

#!/bin/bash
# apply-sudo-security-fix.sh
# A robust script to patch sudo on RHEL-derivatives (Rocky, Alma, RHEL, etc.)

set -e

LOG_FILE="/var/log/sudo-security-update.log"
echo "=== Security update started: $(date) ===" >> "$LOG_FILE"

# 1. Check current version
echo "  Checking current sudo version..." | tee -a "$LOG_FILE"
CURRENT_VERSION=$(sudo --version | head -n1 | awk '{print $3}')
echo "    Current sudo version: $CURRENT_VERSION" | tee -a "$LOG_FILE"

# 2. Detect if an update is available
echo "  Checking for latest sudo update..." | tee -a "$LOG_FILE"
if sudo dnf check-update sudo >/dev/null 2>&1; then
    echo "    Update found. Proceeding to apply patch..." | tee -a "$LOG_FILE"
else
    echo "    No update available. Version is up-to-date." | tee -a "$LOG_FILE"
    exit 0
fi

# 3. Apply the security update
echo "  Applying update for sudo..." | tee -a "$LOG_FILE"
sudo dnf update -y sudo >> "$LOG_FILE" 2>&1

# 4. Verify the fix
NEW_VERSION=$(sudo --version | head -n1 | awk '{print $3}')
echo "    New sudo version: $NEW_VERSION" | tee -a "$LOG_FILE"
echo "=== Security update completed: $(date) ===" >> "$LOG_FILE"

How to run the script on your system:

   1 Save the script as /usr/local/bin/apply-sudo-security-fix.sh.

   2. Make it executable: chmod +x /usr/local/bin/apply-sudo-security-fix.sh.

   3. Run it manually: sudo ./apply-sudo-security-fix.sh.

   4. (Optional) Schedule it with a weekly cron job: sudo crontab -e and add:

text

0 2 * * 1 /usr/local/bin/apply-sudo-security-fix.sh

This will run the check every Monday at 2:00 AM.

For environments with many machines, consider setting up dnf-automatic on Rocky Linux to enable unattended security updates for all packages.

Build Your Ultimate Linux Lab – Everything Included

Stop hunting for compatible power supplies, cables, and cases. The CanaKit Raspberry Pi 5 Essentials Starter Kit gives you a 4GB Pi 5, an official black case, a high‑quality 27W USB‑C power supply with a built‑in fan header, a premium micro HDMI cable, and a pre‑loaded NOOBS SD card – all in one box.

Whether you’re testing firewall rules, simulating network attacks, or learning system hardening in a sandbox, this kit saves you hours of setup and eliminates “missing part” frustration. 

Just unbox, plug in, and start building your secure home lab today.:

👉 Get the Kit Now – Click to see price and availability on Amazon

This post contains affiliate links. We may earn a commission on qualifying purchases.

Alternative Mitigation If You Can’t Update Now

If an immediate update is not feasible due to downtime restrictions or legacy dependencies, apply these temporary countermeasures to reduce the risk.

Important: These steps are not a replacement for the patch

They are defensive hardening measures that make exploitation harder.

1. Restrict sudo permissions aggressively

Edit the sudoers file with visudo and restrict which commands users can run with elevated privileges. For example:

bash

# Avoid using NOPASSWD unless absolutely necessary
# Example of a restricted rule (instead of full root access):
%wheel ALL=(ALL)       ALL       # Allows ALL commands (best avoided)
%devops ALL=(ALL)      /usr/bin/systemctl restart nginx, /usr/bin/journalctl   # Very narrow permissions

A poorly configured sudoers file is a common jumping-off point for privilege escalation. The principle of least privilege is your strongest ally here.

2. Disable unattended passwordless sudo

Remove any lines containing NOPASSWD: from the /etc/sudoers file. Attackers often look for these rules to escalate.

3. Monitor logs for suspicious sudo activity

Set up a simple monitoring rule to log every sudo execution:

bash

echo "Defaults logfile=/var/log/sudo.log" >> /etc/sudoers.d/logging

Check it daily for anomalies (tail -f /var/log/sudo.log). This won't block an attack, but it gives you early detection.

4. If you rely on iptables (already configured), make sure only trusted users can login locally

This vulnerability requires local access. If your iptables rules already restrict inbound SSH connections to a small set of IPs, that significantly reduces the attack surface.

Conclusion

A single sudo security patch might get old news in a few months, but the practices you follow today — checking versions, automating updates, restricting sudoers, and monitoring logs — protect you from dozens of future vulnerabilities. 

Don't just apply this fix and move on. Use it as a trigger to upgrade your entire security routine.

Your call to action:

• Run the verification script on all your Rocky Linux servers right now.

• Then schedule the automation script via cron to never miss another critical update.

• Finally, invest in a dedicated lab environment (like this Raspberry Pi Kit) to test new security patches and configurations before rolling them into production.